Just my personal stuff

Category Archives: IT related stuff

I recently setup a new email account for a customer who is using Outlook 2016 for Mac OSX. The customer was able to setup the new account in Outlook without any issues but when he tried sending mail he received the following error

Authentication fails with error 17895

After some testing on our end we worked out that our server doesn’t offerÂ a suitable authentication mechanism on SMTP as Outlook doesn’t support the plain mechanism.

The server we use is aÂ ModoboaÂ setup which uses Dovecot. in the fileÂ /etc/dovecot/conf.d/10-auth.conf there is an option calledÂ auth_mechanisms which lists the authentication mechanisms that the server will offer. Adding ‘login’ as an additional mechanismÂ will allow Outlook to authenticate.

in a standard Modoboa setup (and probably with a standard Dovecot setup as well) the relevant section in /etc/dovecot/conf.d/10-auth.confÂ looks as follows:

Some time ago I noticed lots of hacking attempts on some of the servers I manage. Some of them are mail servers where hackers were brute forcing smtp user/password combinations, other servers are web servers with wordpress and magento sites where the logs showed lots of attempts to find vulnerabilities in those sites.

One way of dealing with those is to implement fail2ban which can be efficient if configured right, but I wanted to try and block the majority of those attempts at the firewall. So I started collecting addresses from the logs and started blocking them with normal iptables block rules. This worked for the first 50-60 addresses but soon became unmanageable. Then I found out about publicly available blacklists like blocklist.de and bruteforceblocker so I tried loading block rules based on those lists in the iptables firewalls but that caused iptables to take a few minutes to load(!), it also made the firewalls perform pretty poorly.

So after some investigation I found out about ipset. Ipset allows you to create tables that hold a large amount of ip addresses and or networks (amongst a few other things) that can be queried without a hit on performance.

To set it up you’ll need to install ipset. On Debian this is done as follows

~$ apt-get install ipset

on Yum based systems you’d use

~$ yum install ipset

A simple example of setting up an ipset table with some ip addresses and networks and a matching iptables rule. The list will be called example_list

~$ ipset create example_list hash:net family inet

This creates an empty table. Now we can add addresses and networks to the list, for this example I’ll use addresses from the non-public 10.x.x.x block

Now, adding the iptables rule before the ipset table is created will fail as iptables can’t reference a table that doesn’t exist. On the other hand, the ipset table can’t be removed as long as iptables references it. This also highlights the first issue when implementing this; iptables will fail to start/load when the ipset tables it references haven’t been created and this will cause iptables to not load at boot time. Also, ipset tables are loaded in memory and won’t survive a reboot which means we’ll need to create the ipset tables before iptables starts.

Another potential issue is that when using external blocklists like the one from blocklist.de, they’ll need to be updated regularly. So I’ve written a few scripts to take care of all of this. I’m not claiming that this is the best way of doing things but it’s working well for me.

First script is a script to retrieve ip blocklists, i’ve called it ‘getblocklist.sh’ and resides in /usr/local/sbin. It will work with most blocklists, all it expects is one ip address per line. It will store a local version of the list and only download a new one if the local version is over 24 hours old, this to avoid unnecessary load on the remote server. The script will create an ipset table if it doesn’t exist and flush the table if it does.

Now create the /etc/ipset directory and for any local list that you have, make sure a file exists. these files can be empty. so for the example above, create /etc/ipset/localban and /etc/ipset/trusted_allowed

Ever wanted to know when a script was last updated and don’t necessarily want to implement a version control tool like subversion? Adding a comment in your script with the date of the last change is a good start but relies on manually updating the comment every time a change is made.Â Adding the code below to your .vimrc file (and/or in the .vimrc file of the root user) will automate this for you, it will also add the username of the editor. Of course this is no proper way of auditing but it has proven quite useful when working in a team of 3 to 5 system administrators. This also works well for apache vhost files files or DNS zone files for instance.

On occasion I encounter a situation where, due to a configuration issue, mail was received on a server and stored in the default MBOX format instead of being delivered to a user account on a real mail server.

the following script will read an mbox file and redeliver them to the original recipient specified in the message or, if specified, a global recipient.